A honey pot is a computer device that is used as a decoy to lure in potential cyberattacks and gather information such as target information, method of attack and trace the attacker. It also serves as a protection measure by diverting potentially harmful malware from systems that contain sensitive information. A honeypot is comprised of a Computer, OS, Applications and Data that simulate the behaviour of a system that is in production and would be of value to a potential attacker, but in actuality is isolated and monitored to gather information.
Types of Honeypots
There are two primary types of honeypots, research and production honeypots.
Research Honeypots
Research honeypots are for performing detailed analysis of hacker attacks and to develop a means to better protect against them. Research honeypots usually have data with unique identifiers that help track stolen data and identify connections between attacks and specific entities.
Production Honeypots
Production honeypots are inserted into a network with other production servers and act as decoy as part of an Intrusion Detection System (IDS). Their purpose is to distract attackers from other production severs long enough for an administrator to assess and mitigate the vulnerabilities in actual production servers. Two or more honeypots on a network form a honeynet, which is a network setup with intentional vulnerabilities.
Benefits:
– A honeypot is a great way to learn about the methods attackers are using to target your networks.
– Because the only communications with the honeypots are hostile, reviewing the logs is highly efficiency because all of the information is coming from malicious activity.
– It is very cost effective because any old computer can be used to make one and there is high quality, free open source honeypot software.
Cons:
– Limited field of view: Honeypots only see what activity is directed against them.
– Finger Printing: Attackers can often recognize a honeypot because of an expected characteristic or behaviour.
– Introduces risk into the environment: Once attacked and compromised a honeypot can be used to attack other systems or organizations if not properly configured.
Best Honeypots:
Glastopf – Is an open source honeypot that imitates a web server that runs Python, PHP and MySQL. It is capable of emulating thousands of vulnerabilities and is actively maintained and updated.
KFSensor – is a commercial honeypot and is considered by many to be the best developed by a large margin. It has a wide range of features and is regularly updated.
Specter– A commercial honeypot with a few interesting features such as “marker files” used to trace hackers).
Honeypots cannot replace other security mechanisms like Firewalls, Intrusion Prevention Systems, Intrusion Detection Systems etc but it is a great supplement to your current security architecture. It is a great tool to be used for intelligence gathering and being proactive in identifying system vulnerabilities.